I really love zabbix and I using it for monitoring almost everything. Below I describe how to use it for checking amount of packets dropped by iptables .
Why it's nice to monitor amount of dropped packets? It will show you amount of traffic blocked by host firewall and anomalies in the traffic inform you about attack (DDOS) or firewall misconfiguration.
Sure thing, you can log all dropped packets and analyze packet's log by your SIEM solution.
I propose simple way to get quick results and increase system protection without significant investment of money or your time.
1. Get dropped packets counters from iptables:
- if you use default policy DROP for INPUT:
iptables -L -n -v -x | grep "Chain INPUT" | awk {'print $7'}
- if you use DROP rule:
iptables -L -n -v -x | grep DROP | awk {'print $2'}
2. To run iptables command you need to have root privileges, so zabbix agent (which running normally under "zabbix" user account) can't do it without following tricks:
Instead of setting SUID flag for whole iptables (very bad idea ), I propose to create simple C program that will have SUID flag and able to get only amount of dropped packets:
#include
#include
#include
#include
int main()
{
setuid( 0 );
system("/sbin/iptables -L -n -v -x | grep 'Chain INPUT' | awk {'print $7'}");
return 0;
}
The trick here: change "Store value" parameter to "Delta (simpe change)"
it will store difference between counters, so show you new traffic between update interval.
Use this new item to build a Graph and stay informed!
Why it's nice to monitor amount of dropped packets? It will show you amount of traffic blocked by host firewall and anomalies in the traffic inform you about attack (DDOS) or firewall misconfiguration.
Sure thing, you can log all dropped packets and analyze packet's log by your SIEM solution.
I propose simple way to get quick results and increase system protection without significant investment of money or your time.
1. Get dropped packets counters from iptables:
- if you use default policy DROP for INPUT:
iptables -L -n -v -x | grep "Chain INPUT" | awk {'print $7'}
- if you use DROP rule:
iptables -L -n -v -x | grep DROP | awk {'print $2'}
2. To run iptables command you need to have root privileges, so zabbix agent (which running normally under "zabbix" user account) can't do it without following tricks:
Instead of setting SUID flag for whole iptables (very bad idea ), I propose to create simple C program that will have SUID flag and able to get only amount of dropped packets:
# vi /usr/bin/iptables_drop.c
#include
#include
#include
#include
{
setuid( 0 );
system("/sbin/iptables -L -n -v -x | grep 'Chain INPUT' | awk {'print $7'}");
return 0;
}
compile:
#gcc iptables_drop.c -o iptables_drop
change permissions:
#chmod 4111 /usr/bin/iptables_drop
3. Now let's add a zabbix custom parameter in /etc/zabbix/zabbix_agentd.conf:
UserParameter=iptables.block,/usr/bin/iptables_drop
4. Now add corresponding item to zabbix checks list:
The trick here: change "Store value" parameter to "Delta (simpe change)"
it will store difference between counters, so show you new traffic between update interval.
Use this new item to build a Graph and stay informed!